Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

no desktop after removal of malware/viruses

Posted on 2011-09-21
18
Medium Priority
?
621 Views
Last Modified: 2013-11-22
I just cleaned a computer of over 100 malware/viruses, and on reboot, the background picture comes up, and I can see the arrow from the mouse. But no icons, no taskbar, nothing else at all. the windows key does nothing. Ctrl-Alt-Del will bring up the task manager, what can I do/run?
thanks.
0
Comment
Question by:yellow1053
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +3
18 Comments
 
LVL 16

Expert Comment

by:sjklein42
ID: 36578358
Try this first:

1.Right-click the desktop.
2.Point to Arrange Icons By.
3.Click Show Desktop Icons.

0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36578386
If that doesn't work, then from within the Task Manager, try running "Explorer".
0
 

Author Comment

by:yellow1053
ID: 36578389
right click and left click do nothing. arrow never turns to an hourglass either. thanks though.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:yellow1053
ID: 36578394
Actually I had tried to manually start explorer but get the following error:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
:(
0
 

Author Comment

by:yellow1053
ID: 36578397
oh, and by the way, the same results when in safe mode too. (just no background picture, just black screen).
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36578426
The virus has apparently blocked the execution of explorer.exe.

Here's a suggestion of how to create a copy of explorer.exe with a different name "explore.exe".  This should bypass the block.

http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/123561

1. hit ctrl+alt+delete
2. New task, browse C:\windows.
3. Copy explorer.exe and paste it in C:\windows.  It will be called "copy of Explorer.exe".  Rename it explore.exe
4. Open regedit in C:\windows.
5. Hkey_local_machine\software\microsoft\windows nt\current version\winlogon. (single click on winlogon)
6. Double click on shell (which is in the column beside winlogon). In the place where it is written explorer.exe write C:\windows\explore.exe (the new one you just pasted)
7. hit ctrl+alt+delete.
8.newtask, browse C:\windows\explore.exe.
0
 
LVL 6

Expert Comment

by:ckivml
ID: 36578533
Did you try to boot in Safemode if not Please boot your windows in Safemode..

Press F8 and select safe mode

and see how it works
0
 
LVL 93

Expert Comment

by:nobus
ID: 36578746
0
 
LVL 93

Expert Comment

by:nobus
ID: 36578764
0
 
LVL 23

Expert Comment

by:phototropic
ID: 36578783
There is a full and complete explanation of how to fix this problem in the following ee article:

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6209-Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files.html?sfQueryTermInfo=1+30+desktop+icon+miss

To quote rpggamergirl:

"...These rogues hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder --> %temp%\smtmp, it then creates 4 subdirectories:

%Temp%\smtmp\1\ => Allusers Start Menu
%Temp%\smtmp\2\ => Allusers Quick Launch
%Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => AllUsers Desktop

If you did not empty your temp folder you can just retrieve those files from there. Or using restoresm.zip which will restore all the missing shortcuts. restoresm.zip
Extract the file, open the restoresm folder and doubleclick on restoresm.bat to run it..."

Have you cleared your temp file cache since removing the malware?

0
 

Author Comment

by:yellow1053
ID: 36581648
sjklein42: I get the following error when trying to copy explorer: "Error copying file or folder Cannot copy explorer, access is denied"

ckivml: I did as noted above also try in Safe mode, but have the same results.

Nobus: sysu.exe and ddm_d.exe are not running in the processes. and explorer.exe does not have the hidden attribute set.

phototropic: I did not clear temp files, as I cannot access the desktop or anything since removing the viruses/malware. However, I copied and ran restoresm.zip, but same results on reboot. :(
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36583869
There are several ways the virus can disable access to explorer.exe.  This is the first place I'd check:

http://www.technipages.com/prevent-users-from-running-certain-programs.html

1. Click START>RUN and type GPEDIT.MSC

2. The Group Policy Editor appears.
Click on the plus sign next to User Configuration
then Administrative Templates
then System
and double-click the policy Don’t run specified Windows applications

3.  It should say "Not Configured".  If it says "Enabled", then click the "Show..." button to see if Explorer.exe has been blocked.
0
 
LVL 38

Expert Comment

by:younghv
ID: 36583908
The 'rpg' Article suggested by phototropic at http:#a36578783 is time-tested and has been used by many EE Members since it was published.

Please take a look (as suggested above) and walk through the steps provided:

http://www.experts-exchange.com/A_6209.html 
Windows-XP-Vista-Recovery-rogue-Desktop-icons-missing-Empty-program-files
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 36584300
The virus may have blocked access to Explorer.exe by setting Special Permissions on it:

http://support.microsoft.com/kb/308419

At this point, I would load a good copy of Explorer.exe from another XP machine onto a USB drive, change its name to Explore.exe, and run it on the wounded machine directly from the USB drive.  At least then you will have a shell to work in.  Then check the Permissions on the Explorer.exe that is on your hard drive.

Note that you will need to (temporarily at least) disable Simple File Sharing in order to see the Security tab in the File Properties window.
0
 

Author Comment

by:yellow1053
ID: 36584992
sjklein42:  everything went as you said until I clicked on system and your next step "double-click the policy Don’t run specified Windows applications" can't be done as there is NO policy stating "don't run specified windows applications"

younghv: as I stated above, I did all that with no results. (I actually ran command first, and then ran it, so I could see what it was doing, and for all four files the result was 0 files copied. that temp directory doesn't exist.)

sjklein42: Ok! we may be on to something here!!! I did as you suggested and ran from a usb a good copy of explore, and was able to check permissions, (here's where it gets interesting!) I have TWO explorer files there! one is the normal exe file and it's permissions allow for one group "everyone" and is set to Full control. but then there is an explorer.scf file whose permissions are many. there are four groups Administrators, power users, system, and users. Admin and system allow for full control. But power users and users only allow for read and execute, and read.
Could this be the source of my problems??
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 2000 total points
ID: 36585613
The .scf file is a shortcut and does not explain why Explorer.exe cannot be accessed.

For now, you can workaround the blocked Explorer.exe and should be able to boot normally after making this change:

- Copy the functional Explore.exe from the USB drive to your c:\Windows folder
- run regedit
-  Hkey_local_machine\software\microsoft\windows nt\current version\winlogon. (single click on winlogon)
-. Double click on shell (which is in the column beside winlogon). In the place where it is written explorer.exe, replace with C:\windows\explore.exe (the new file you just copied there)
0
 

Author Closing Comment

by:yellow1053
ID: 36590889
Thanks alot everyone!
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question